PEM Files

The standard format for OpenSSL and many other SSL tools. This format is designed to be safe for inclusion in ascii or even rich-text documents, such as emails. This means that you can simple copy and paste the content of a pem file to another document and back.

Following is a sample PEM file containing a private key and a certificate, please note that real certificates are a couple of times larger, containing much more random text between the "BEGIN" and "END" headers.

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDg
MBQGCCqGSIb3DQMHBAgD1kGN4ZslJgSCBMi1xk9jhlPxPc
9g73NQbtqZwI+9X5OhpSg/2ALxlCCjbqvzgSu8gfFZ4yo+
A .... MANY LINES LIKE THAT ....
X0R+meOaudPTBxoSgCCM51poFgaqt4l6VlTN4FRpj+c/Wc
blK948UAda/bWVmZjXfY4Tztah0CuqlAldOQBzu8TwE7WD
H0ga/iLNvWYexG7FHLRiq5hTj0g9mUPEbeTXuPtOkTEb/0
GEs=
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3Df
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVx
aWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMT
A .... MANY LINES LIKE THAT ....
JjyzfN746vaInA1KxYEeI1Rx5KXY8zIdj6a7hhphpj2E04
C3Fayua4DRHyZOLmlvQ6tIChY0ClXXuefbmVSDeUHwc8Yu
B7xxt8BVc69rLeHV15A0qyx77CLSj3tCx2IUXVqRs5mlSb
vA==
-----END CERTIFICATE-----
    

A few rules apply when copying a certificate around:

  • A single key or certiciate must start with the appropriate header, such as "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". Always copy the certificate with the header and footer notes.
  • The number of dashs ("-----") is meaningful, and must be correct.
  • When saving the certificate to a pem file, make sure you are using the correct form of line termination, pem files use the unix flavor, of terminating lines with a single "Line Feed" charecter, while some text editors use the windows flavor of two charecter line termination. If your PEM file was saved on windows, you can fix it in a unix command line with the tr (translate tool), this will remove the second line termination charcter used on windows:
    $ tr -d '\r' < original.pem > fixed.pem
                    

A single PEM file can contain a number of certificates and a key, for example, a single file with:

  • Public certificate
  • Intermidiate Certificate
  • Root certificate
  • Private key

For many purposes, it is a common task to split a single pem file to a number of pem files, each containing only a single part of the document, such as a file that will contain only the private key. To do this, make sure you read the above rules for working with pem files, start your editor and copy a single part of the PEM file, from the start header to the end header, with the header included, to another file.

If you are to copy the key from the above pem file to a seperate file, your file will look like this:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIS2qgprFqPxECAggA
MBQGCCqGSIb3DQMHBAgD1kGN4ZslJgSCBMi1xk9jhlPxP3FyaMIUq8QmckXCs3Sa
9g73NQbtqZwI+9X5OhpSg/2ALxlCCjbqvzgSu8gfFZ4yo+Xd8VucZDmDSpzZGDod
A .... MANY LINES LIKE THAT .... .... MANY LINES LIKE THAT .... 
X0R+meOaudPTBxoSgCCM51poFgaqt4l6VlTN4FRpj+c/WZeoMM/BVXO+nayuIMyH
blK948UAda/bWVmZjXfY4Tztah0CuqlAldOQBzu8TwE7WDwo5S7lo5u0EXEoqCCq
H0ga/iLNvWYexG7FHLRiq5hTj0g9mUPEbeTXuPtOkTEb/0ckVE2iZH9l7g5edmUZ
GEs=
-----END ENCRYPTED PRIVATE KEY-----
    

You can read more about working with pem files at the OpenSSL command, tips, and tricks page.